Understanding authentication in Blazor and ASP.NET Core - Part 3

In this post, we will delve into the intricacies of authentication in ASP.NET Core and explore how to implement them effectively.

Information

This post draws inspiration from the following Microsoft link: Overview of ASP.NET Core authentication.

Important

We must acknowledge that Microsoft modifies the configuration settings of an ASP.NET application with each new release of the framework, which can indeed be quite tedious. Is it not feasible for them to maintain stable Program.cs and Startup.cs classes ?

For this article, we are reliant on .NET 8.

What is the operational mechanism of authentication in ASP.NET Core ?

Authentication in ASP.NET Core or Blazor is undeniably a complex subject, and our aim is to present it in the most comprehensible manner possible. Additionally, it's important to note that certain differences may arise based on the configuration chosen at the startup of the solution.

How does ASP.NET discern the necessity for authentication ?

The answer is rather straightforward: we designate pages requiring authentication by adorning them with the [Authorize] attribute, and indicate in the Routes.cs class that certain routes should be authenticated with the AuthorizeRouteView tag.

1@page "/"
2@attribute [Authorize]
3
4<PageTitle>Home</PageTitle>
5
6<h1>Hello, world!</h1>
7
8Welcome to your new app.
 1<Router AppAssembly="@typeof(Program).Assembly">
 2    <Found Context="routeData">
 3        <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(Layout.MainLayout)">
 4            <NotAuthorized>
 5                @{
 6                    navigationManager.NavigateTo("/login", true);
 7                }
 8            </NotAuthorized>
 9        </AuthorizeRouteView>        
10        <FocusOnNavigate RouteData="@routeData" Selector="h1" />
11    </Found>
12    <NotFound>
13        @{
14            navigationManager.NavigateTo("/login", true);
15        }
16    </NotFound>
17</Router>

These configurations will instruct ASP.NET to employ a mechanism for verifying the identity of the current user through an authentication process. However, which process does it choose ? There are numerous possibilities: users can be authenticated using cookies, JWT tokens, the SAML protocol, or other methods. Once again, the answer is rather straightforward: ASP.NET selects the method that we configure !

So, how to to configure authentication ?

Important

A bit of terminology: an authentication process in ASP.NET Core is referred to as an authentication scheme in Microsoft jargon.

Therefore, we need to define one or more authentication schemes (it is perfectly acceptable to offer users multiple login options). The good news is that Microsoft already provides native schemes and simplifies the development of custom ones.

Here, for example, we configure our application to require authentication when a cookie named "Auth" is present in the user's browser. If this cookie is not present, users are redirected to the login page. We didn't need to write complex or convoluted code to fetch and decrypt the cookie because ASP.NET Core provides this functionality natively.

The equivalent code in C# is as follows (add it to the Program.cs file).

 1public static void Main(string[] args)
 2{
 3    // ...
 4
 5    // Add authentication options
 6    builder.Services.AddAuthentication("Auth")
 7        .AddCookie("Auth", options =>
 8        {			
 9            options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
10            options.SlidingExpiration = true;
11            options.LoginPath = "/login";
12        });
13    builder.Services.AddCascadingAuthenticationState();
14
15    // ...
16
17    app.UseAuthentication();
18    app.UseAuthorization();
19    
20    app.UseStaticFiles();
21    app.UseAntiforgery();
22
23    app.MapRazorComponents<App>().AddInteractiveServerRenderMode();
24
25    app.Run();
26}

Notice in this code snippet how :

  • we define an authentication scheme named "Auth" based on cookies
  • we designate it as the default authentication scheme

Configured in this manner, the ASP.NET engine comprehends that authentication is required, and that it can be executed using a cookie in a browser.

At this stage, of course, we are redirected to the login page as the cookie does not exist. Now, we need to establish a method to create it.

Finalizing the authentication process

How to login ?

Here, we will construct an oversimplified login page to authenticate a user. In a real-world scenario, we would need to retrieve data from a datastore to verify the accuracy of the credentials. However, for illustrative purposes, we will create the necessary cookie directly without performing any verification.

The Login button triggers a POST method, so we will create a controller that responds to this request and generates the required cookie within it.

  • Add a new folder in the project, name it Authentication and add a controller named AuthController within it.

  • Add the following code in AuthController.cs.

 1public class AuthController : Controller
 2{
 3    [HttpPost]
 4    [AllowAnonymous]
 5    public async Task<IActionResult> CookieLogin()
 6    {
 7        // Generate the claims
 8        var claims = new List<Claim>();
 9        claims.Add(new Claim(ClaimTypes.Name, "John Patton"));
10        claims.Add(new Claim(ClaimTypes.Role, "Contributor"));
11
12        var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "Auth"));
13
14        await HttpContext.SignInAsync("Auth", principal).ConfigureAwait(false);
15		
16        return Redirect("/");
17    }
18}
Information

The SignInAsync method of HttpContext is a native method that allows us to sign in a principal for the default authentication scheme.

In our case, since the authentication scheme relies on cookies, this method will handle the creation of the cookie for us, considering the underlying code for encryption, expiration and so forth.

  • Edit the Login.razor class.
1@page "/login"
2
3<form action="Auth/CookieLogin" method="post">
4    <button type="submit" class="btn btn-primary">Login</button>
5</form>
  • Edit also the Program.cs class.
 1public static void Main(string[] args)
 2{
 3    var builder = WebApplication.CreateBuilder(args);
 4
 5    // Add services to the container.
 6    builder.Services.AddControllersWithViews();
 7    builder.Services.AddRazorComponents().AddInteractiveServerComponents();
 8
 9    // Add authentication options
10    builder.Services.AddAuthentication("Auth")
11        .AddCookie("Auth", options =>
12        {
13            
14            options.ExpireTimeSpan = TimeSpan.FromMinutes(20);
15            options.SlidingExpiration = true;
16            options.LoginPath = "/login";
17        });
18    builder.Services.AddCascadingAuthenticationState();
19
20    var app = builder.Build();
21
22    // Configure the HTTP request pipeline.
23    if (!app.Environment.IsDevelopment())
24    {
25        app.UseExceptionHandler("/Error");
26        // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
27        app.UseHsts();
28    }
29
30    app.UseRouting();
31
32    app.UseAuthentication();
33    app.UseAuthorization();
34
35    app.UseStaticFiles();
36    app.UseAntiforgery();
37
38    app.MapRazorComponents<App>().AddInteractiveServerRenderMode();
39    app.UseEndpoints(endpoints =>
40    {
41        endpoints.MapControllerRoute("default", "{controller}/{action}");
42    });
43
44    app.Run();
45}

Now, when we click on Login, a cookie is generated, and we can navigate within the application.

How to logout ?

Similarly, we can implement the logout process by invoking the SignOutAsync method of HttpContext.

 1public class AuthController : Controller
 2{
 3    [HttpPost]
 4    [AllowAnonymous]
 5    public async Task<IActionResult> CookieLogin()
 6    {
 7        //...
 8    }
 9	
10    [HttpPost]
11    public async Task<IActionResult> CookieLogout()
12    {
13        await HttpContext.SignOutAsync("Auth").ConfigureAwait(false);
14		
15        return Redirect("/login");
16    }
17}

The logic presented here was rather basic, and now we delve into a more intricate topic with authentication based on the SAML protocol.